Completing Access Control support for XDomainRequest

Back in October, Sunava described changes that we made to the XDomainRequest (XDR) object in IE8 between the Beta 1 and Beta 2 releases. This object allows your AJAX web pages to request data from sites with a different hostname from the page itself, something that IE doesn’t allow for security reasons via XMLHttpRequest. Since Beta 1 we’ve been working with the W3C Web Application group on the Access Control framework and the changes we made in Beta 2 were to adopt the Simple Cross-Site Access Request.

I’m happy to announce that we have recently completed our support for the Access Control Check using the Access-Control-Allow-Origin header defined by the updated spec. This means that, in addition to the wildcard check (looking for *) that we supported in Beta 2, we also now support the origin URL check. This support will be part of the next public release of IE that Dean announced a few weeks ago.

I have recorded a short video that demonstrates how to use XDR and what this announcement means. It also shows how the Access Control framework is supported by other browsers allowing interoperable services to be called from your pages.